Authorizing requests to Compute Engine

If you use the Compute Engine API to manage your
Compute Engine resources, you can authenticate your applications to
the API by obtaining credentials from a Compute Engine service
account. Service accounts allow your application to authenticate to the API
without embedding any secret keys in your application code.

Service accounts are recommended for most situations where your application must
authorize requests to the API. However, if you are building development or
administration tools where users grant you access to their Google Cloud
resources, use a user authorization flow instead.

Applications that run on Compute Engine instances

If you run applications on your Compute Engine instances,
application default credentials can obtain credentials through built-in
service accounts. Read
Creating and Enabling Service Accounts for Instances
to configure your instances with these built-in service accounts and run your
application on a Compute Engine instance.

Applications that run outside of Google Cloud Platform

If you run applications on systems outside of Google Cloud Platform, your
applications can use application default credentials to obtain credentials
from environment variables on those systems. See
How Application Default Credentials work
to configure your environment variables with the necessary credentials.

Applications that are in development

While you develop your applications locally, you can use
the auth application-default login
information in the gcloud tool to temporarily
obtain user credentials for your application. This command is useful for when
you are developing code that would normally use a service account, but you need
to run the code in a local development environment, and it is easier to provide
user credentials. The credentials will apply to all API calls that make use of
the Application Default Credentials client library.

The application obtains credentials from the tool. Later, you can deploy your
application to Compute Engine instances where the application
automatically obtains credentials from the
built-in service accounts, or to other systems
with credentials specified in their
environment variables.

Example: authenticating using application default credentials

This example uses the
Python Client Library to authenticate
and make a request to the Cloud Storage API to list the buckets in a project.
The example uses the following procedure:

Obtain the necessary authentication credentials for the Cloud Storage API
and initialize the Cloud Storage service with the build() method and the
credentials.

List buckets in Cloud Storage.

You can run this sample on an instance that has access to manage buckets in
Google Cloud Storage, on your local machine after running
the gcloud auth application-default login command, or after setting
an environment variable to use application default credentials.

Obtaining access to Google Cloud resources that are owned by users of your application

If you are building development or administration tools where users grant
you access to their Google Cloud resources,
obtain authorization through a basic OAuth 2.0 process.
This process requires your users to grant you access to their information
through a user authorization flow. After your application has access, it can
view or modify the Compute Engine resources in each user's project.

In your request, specify an access scope that limits your access to only the
methods and user information that your application requires. For example,
specify the compute.readonly scope when your application views existing
Compute Engine resources but does not create or modify any resources
for your users.

Scope

Meaning

https://www.googleapis.com/auth/cloud-platform

Full access to all resources and services in the specified Cloud
Platform project.